Purple team exercises devolve into checkbox drills because ATT&CK technique IDs are too coarse

Organizations run purple team exercises by mapping red team actions to MITRE ATT&CK technique IDs (e.g., T1055 Process Injection), but a single technique ID encompasses dozens of distinct implementation variants with completely different detection signatures. Checking off T1055 after testing one variant gives false confidence that the SOC can detect all 15+ process injection methods. This persists because ATT&CK was designed as a knowledge base for threat intelligence, not an operational testing framework, and sub-techniques only partially address the granularity gap. No standard maps specific evasion variants to specific detection rules.